Skip to main content

NocoDB EUVDEUVD-2026-38611

| CVE-2026-47388 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-05 https://github.com/nocodb/nocodb GHSA-xxpj-q764-9r6q
2.3
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 23, 2026 - 21:22 NVD
2.3 (LOW)
Source Code Evidence Fetched
Jun 05, 2026 - 16:56 vuln.today
Analysis Generated
Jun 05, 2026 - 16:56 vuln.today

DescriptionCVE.org

Summary

A low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP readAttachment tool did not verify the file's ownership.

Details

The MCP readAttachment tool accepts caller-supplied path/url values and streams the file via the storage adapter. The handler now looks up the path in nc_file_references and requires a non-deleted row whose base_id matches the caller's MCP context before streaming; otherwise it returns Attachment is not accessible from this MCP context. The lookup tolerates both download/uploads/... and uploads/... styles.

Impact

Arbitrary read against shared storage scoped to attachments the caller's MCP context should not see. Exploitation requires an MCP token and a known attachment path.

Credit

This issue was reported by @helwor-01.

AnalysisAI

Unauthorized cross-tenant file read in NocoDB's MCP readAttachment tool allows any low-privilege MCP token holder to stream arbitrary attachment files from shared storage, including those belonging to unrelated bases and workspaces. Affected versions are all NocoDB releases up to and including 2026.05.0 (npm/nocodb). The root cause is CWE-639: the tool accepted caller-supplied path or URL values and streamed them directly without verifying that the referenced file's base_id matched the caller's MCP context. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Technical ContextAI

NocoDB is an open-source no-code database platform distributed as an npm package (pkg:npm/nocodb). It exposes a Model Context Protocol (MCP) interface through which authorized token holders can interact with bases and their data. The vulnerable component is the MCP readAttachment tool, which accepted caller-controlled path or URL parameters and passed them directly to a storage adapter for streaming - a textbook CWE-639 (Authorization Bypass Through User-Controlled Key) pattern. Because the handler never cross-referenced the requested path against the nc_file_references table to confirm the file's base_id matched the caller's MCP context, any token holder who knew a valid storage path could read files from arbitrary bases and workspaces. The fix introduces an ownership check: the handler now queries nc_file_references for a non-deleted row whose base_id aligns with the caller's MCP context and returns 'Attachment is not accessible from this MCP context' when no matching row is found. The lookup supports both download/uploads/... and uploads/... path styles.

RemediationAI

Upgrade NocoDB to version 2026.05.1 or later, which introduces the ownership check in the MCP readAttachment handler. This is the only confirmed remediation per the vendor advisory at https://github.com/nocodb/nocodb/security/advisories/GHSA-xxpj-q764-9r6q. If an immediate upgrade is not feasible, a targeted compensating control is to revoke or restrict MCP token issuance to fully trusted principals only, thereby limiting the pool of identities capable of invoking readAttachment. Alternatively, if the MCP interface is not operationally required, disabling MCP token generation eliminates the attack surface entirely, though this will break any MCP-based integrations. There are no generic workarounds that preserve full MCP functionality while blocking the vulnerability on unpatched versions.

Share

EUVD-2026-38611 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy